Search form

Protect your Online Accounts with Two-Step Verification

Submitted by radj on Wed, 2015/03/11 - 8:00pm

It's called Two-Step Verification simply because it verifies you twice before granting access to your account using two things: your password and something that is with you like your phone. You should enable this in all your online accounts that support it. Why? To protect yourself and your data from being accessed by unauthorized peeps even if they get a hold of your password.

Social engineering: phishing for your password

How do other people gain access to your account? They steal and then use your password. How? By social engineering. What's that? It's a broad list of mind tricks to get you to surrender your information. One rampant method is phishing.

There are plenty of ways to phish but a common way is for a cracker (not hackers anymore, please) to send you a fake Facebook email notification that will lead you to a Facebook website clone that they created. You try logging in and poof, you have submitted your username and password to their fake Facebook website. There are many other common ways for them to get your password.

This isn't only for Facebook. There's phishing for all websites. You should know that even bank websites are not exempted.

Two-step verification

Websites that have adapted two-step verification or two-factor authentication are protecting your account by determining it's really you logging in (and not an angry ex trying to check your message history) with two steps:

Step One: The website verifies if you know the email and password to log into your account with the default login screen.

Step Two: After successfully verifying step 1, it sends a message with a code via another channel to contact you and that only you can access this channel. You will use this code to complete your login.

There are many channels to get the code to you but the common ones are via email, SMS, or via an authentication app (more about this app later). Options may vary depending on the website. Since it is expected that only you have access to your SMS messages, email, or authentication app, step two will check if it's really you trying to login.

How does this protect you?

If your password is stolen via phishing (or it's super simple and can be guessed, which is also a bad thing), a secret admirer may use this info to log into your account. They will successfully pass through Step One above. However, when the website sends a code to your phone or email, the psychopath fan will not get this code and thus cannot go past Step Two. It's pretty simple.

Mercenaries will probably have a gun to your head and ask you to do Step One and Two yourself assuming you have information worth blowing your head off for.

Enable it on these websites now!

Now that you understand what two-step verification is, here's a nice list of websites that support two-factor authentication:

Service

SMS

Authentication app

Email

Google ID (all Google services)

Yes

Yes

No

Apple ID

Yes

Yes

No

Facebook

Yes

Yes

No

Twitter

Yes

Yes

No

Yahoo

Yes

Yes

No

Dropbox

Yes

Yes

No

Box

Yes

Yes

No

Microsoft Live (Skype, OneDrive)

Yes

Yes

No

Yahoo

Yes

No

No

PayPal

Yes

No

No

LastPass

No

Yes

No

HootSuite

No

Yes

No

Steam

No

No

Yes

GoDaddy

Yes

No

No

GitHub

Yes

Yes

No

I'm sure you're using more than a handful of these services. You will have to do your own homework how to find the security settings in the websites you use. You can find a better looking table with more websites on Two Factor Auth List.

Authentication apps

Another way for you to acquire Step Two codes is using an authentication app. One example is Google's Authenticator app (available on the Android Google Play Store and iOS App Store). This leverages the fact that it will be installed on a phone that will always be with you. After setting it up with the website that supports it, use the app to get the Step Two codes to proceed with your login. You would know a website supports an authentication app because it will show you a QR code on its security settings.

Google has a nice video summarizing everything I've discussed and how to setup the Google Authenticator app.

Set up your two-step authentication with websites you use now! Contact support personnel of a website you use that doesn't have two step verification to improve their security settings to protect their users.